Thanks for reply ! Half hour after I posted here I found the solution. Was the replay cache. Disable it and everything works fine. The load now is about 1 or less. BillieGDJoe 2010/8/2 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Can you try to disable the replay cache as described here and let me know > the load please ? > > Thank you > Markus > > "Billie Joe" <billiegdjoe@xxxxxxxxx> wrote in message > news:AANLkTi=ZU4Qs-rBjxDeuvyYQbokxJ0j1Aw+fx+EpMQQc@xxxxxxxxxxxxxxxxx >> >> Hi Folks, >> >> >> Here it is: >> >> >> Hardware specs: >> >> HP DL160G6, 8GB RAM, 2 SAS 146GB 15K RPM RAID01 >> >> SO specs: >> >> Centos 5.5 X86-64 - 2.6.18-194.8.1.el5 >> Windows Server 2003 R2 (AD) >> >> Packages: >> >> squid-2.6.STABLE21-6.el5 >> krb5-libs-1.6.1-36.el5_5.5 >> pam_krb5-2.2.14-15 >> pam_krb5-2.2.14-15 >> krb5-libs-1.6.1-36.el5_5.5 >> krb5-workstation-1.6.1-36.el5_5.5 >> >> squid.conf: >> >> visible_hostname hostname.domain >> >> http_port 3128 >> icp_port 3130 >> >> hierarchy_stoplist cgi-bin ? >> >> ### no auth >> acl RepoNoauth url_regex "/opt/catfish/etc/rules/url_regex/RepoNoauth" >> acl Servidores src "/opt/catfish/etc/rules/src/Servidores" >> http_access allow Servidores RepoNoauth >> >> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s >> HTTP/hostname.domain >> auth_param negotiate children 1500 >> auth_param negotiate keep_alive on >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 50 >> authenticate_ttl 12 hours >> auth_param ntlm keep_alive on >> >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> auth_param basic children 5 >> auth_param basic realm Cluster Proxy >> auth_param basic credentialsttl 2 hours >> >> negative_ttl 10 seconds >> >> cache_store_log none >> >> max_filedesc 32768 >> >> cache_swap_high 96 >> >> strip_query_terms off >> >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern . 0 20% 4320 >> acl QUERY urlpath_regex cgi-bin \? >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl to_localhost dst 127.0.0.0/8 >> acl SSL_ports port 21 70 80 81 82 85 88 89 90 100 210 280 333 443 488 >> 563 591 777 800-65535 >> acl CONNECT method CONNECT >> acl HEAD method HEAD >> >> ### alterado >> acl Safe_ports port 21 70 80 81 82 83 85 88 89 90 100 210 280 333 443 >> 488 563 591 777 800-65535 >> acl all src 0.0.0.0-255.255.255.255 >> acl allUsuariosHorarioDeAlmoco src 0.0.0.0-255.255.255.255 >> acl allUsuariosNegados src 0.0.0.0-255.255.255.255 >> acl snmppublic snmp_community public >> acl gerenciador src 127.0.0.0/8 10.96.156.0/24 10.8.1.0/24 10.96.210.0/24 >> >> delay_pools 3 >> ### alguns sites lentos >> ### gnutela >> acl portaslentas port 6346 1214 >> delay_class 1 1 >> delay_access 1 allow portaslentas >> delay_parameters 1 666/666 >> >> ### filmes >> acl sitesdefilme url_regex "/opt/catfish/etc/rules/url_regex/SitesFilmes" >> acl extensoesdefilmes urlpath_regex -i \.avi \.mpg \.mpeg \.mov >> delay_class 2 2 >> delay_access 2 allow sitesdefilme >> delay_parameters 2 -1/-1 10000/10000 5000/5000 >> >> ### Toledo >> acl filmesemusicas urlpath_regex -i \.avi \.mpg \.mpeg \.mp3 \.mov >> acl rangetoledo src 10.194.0.0-10.194.255.255 >> delay_class 3 1 >> delay_access 3 allow filmesemusicas rangetoledo >> delay_parameters 3 666/666 >> >> # expanions ilha consulta >> acl Expanion url_regex "/opt/catfish/etc/rules/url_regex/Expanion" >> acl IPExpanion src "/opt/catfish/etc/rules/src/IPExpanion" >> http_access allow IPExpanion Expanion >> http_access deny all IPExpanion >> >> # sites com acesso permitido sem autenticar >> acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth" >> http_access allow all SitesNoauth >> always_direct allow SitesNoauth >> http_access allow HEAD SitesNoauth >> >> # skype liberar >> acl skype_port port 443 >> acl connect_skype method CONNECT >> acl LiberarSkype src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs" >> http_access allow LiberarSkype skype_port connect_skype >> >> # acl's para logins >> acl Todos proxy_auth REQUIRED >> acl free proxy_auth_regex "/opt/catfish/etc/auth/rules/free" >> acl freeip src "/opt/catfish/etc/auth/rules/freeip" >> acl LiberarIMsauth proxy_auth_regex >> "/opt/catfish/etc/rules/src/UsuariosLiberarIMs" >> >> ### bagre acls >> acl UsuariosBloquearIMs proxy_auth_regex >> "/opt/catfish/etc/rules/src/UsuariosBloquearIMs" >> acl UsuariosLiberarIMs proxy_auth_regex >> "/opt/catfish/etc/rules/src/UsuariosLiberarIMs" >> acl IPAcessoDefinidoNegado src >> "/opt/catfish/etc/rules/src/IPAcessoDefinidoNegado" >> acl IPAcessoDefinidoHorarioDeAlmoco src >> "/opt/catfish/etc/rules/src/IPAcessoDefinidoHorarioDeAlmoco" >> acl IPAcessoDefinidoLiberado src >> "/opt/catfish/etc/rules/src/IPAcessoDefinidoLiberado" >> acl UsuariosNegados proxy_auth_regex >> "/opt/catfish/etc/rules/src/UsuariosNegados" >> acl UsuariosHorarioDeAlmoco proxy_auth_regex >> "/opt/catfish/etc/rules/src/UsuariosHorarioDeAlmoco" >> acl UsuariosLiberados proxy_auth_regex >> "/opt/catfish/etc/rules/src/UsuariosLiberados" >> acl IPAcessoPadraoHorarioDeAlmoco src >> "/opt/catfish/etc/rules/src/IPAcessoPadraoHorarioDeAlmoco" >> acl IPAcessoPadraoLiberado src >> "/opt/catfish/etc/rules/src/IPAcessoPadraoLiberado" >> acl IPAcessoPadraoNegado src >> "/opt/catfish/etc/rules/src/IPAcessoPadraoNegado" >> acl InstantMessengersAllow url_regex >> "/opt/catfish/etc/rules/url_regex/InstantMessengersAllow" >> acl InstantMessengers url_regex >> "/opt/catfish/etc/rules/url_regex/InstantMessengers" >> acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth" >> acl IPAcessoLiberarIMs src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs" >> acl IPAcessoBloquearIMs src >> "/opt/catfish/etc/rules/src/IPAcessoBloquearIMs" >> acl SitesBloqueados url_regex >> "/opt/catfish/etc/rules/url_regex/SitesBloqueados" >> acl SitesPermitidos url_regex >> "/opt/catfish/etc/rules/url_regex/SitesPermitidos" >> acl HorarioDeAlmoco time "/opt/catfish/etc/rules/time/HorarioDeAlmoco" >> acl LiberarEnderecosInternos src >> "/opt/catfish/etc/rules/src/LiberarEnderecosInternos" >> ### /bagre acls >> >> # acl's para sites >> acl RedeInterna url_regex "/opt/catfish/etc/auth/rules/RedeInterna" >> acl Excessoes url_regex "/opt/catfish/etc/auth/rules/Excessoes" >> >> # malware block list >> acl malware_block_list url_regex -i >> "/opt/catfish/etc/rules/url_regex/malware_block_list.txt" >> >> no_cache deny QUERY >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> >> ###alterado >> snmp_access allow snmppublic localhost >> snmp_access allow snmppublic gerenciador >> snmp_access deny all >> snmp_port 3420 >> snmp_incoming_address 0.0.0.0 >> snmp_outgoing_address 0.0.0.0 >> >> http_access allow Todos Excessoes free >> http_access allow Excessoes freeip >> http_access allow LiberarIMsauth InstantMessengersAllow >> http_access deny malware_block_list >> >> ### bagre rules >> http_access allow UsuariosLiberarIMs InstantMessengersAllow >> http_access deny UsuariosBloquearIMs InstantMessengers >> http_access allow IPAcessoLiberarIMs InstantMessengersAllow >> http_access deny IPAcessoBloquearIMs InstantMessengers >> http_access deny SitesBloqueados >> http_access allow SitesPermitidos >> http_access deny IPAcessoDefinidoNegado >> http_access allow IPAcessoDefinidoHorarioDeAlmoco HorarioDeAlmoco >> http_access deny IPAcessoDefinidoHorarioDeAlmoco >> http_access allow IPAcessoDefinidoLiberado >> http_access deny UsuariosNegados allUsuariosNegados >> http_access allow UsuariosHorarioDeAlmoco HorarioDeAlmoco >> http_access deny UsuariosHorarioDeAlmoco allUsuariosHorarioDeAlmoco >> http_access allow UsuariosLiberados >> http_access allow IPAcessoPadraoLiberado >> http_access allow IPAcessoPadraoHorarioDeAlmoco HorarioDeAlmoco >> http_access deny IPAcessoPadraoHorarioDeAlmoco >> http_access deny IPAcessoPadraoNegado >> http_access allow LiberarEnderecosInternos >> ### /bagre rules >> deny_info IP_HORARIO_IMPROPIO IPAcessoDefinidoHorarioDeAlmoco >> IPAcessoPadraoHorarioDeAlmoco >> deny_info USUARIO_HORARIO_IMPROPIO allUsuariosHorarioDeAlmoco >> deny_info ERR_USR_ACCESS_DENIED allUsuariosNegados >> deny_info MALWARE malware_block_list >> >> http_reply_access allow all >> icp_access allow all >> >> cache_effective_user squid >> >> cache_mgr cachemgr@xxxxxxxxxxxx >> maximum_object_size 4096 KB >> >> access_log /var/log/squid/access.log squid >> logfile_rotate 5 >> >> error_directory /usr/share/squid/errors/Myerrors >> >> cache_dir ufs /var/spool/squid 4096 16 256 >> >> cache_mem 4096 MB >> >> half_closed_clients off >> >> cache deny all >> >> Problem: >> >> Everything works fine, except because the load of system gets 1000 and >> keeps increasing when using Kerberos authentication which results in a >> slow response from proxy server to users. When using only ntlm >> authentication (commented the line of Kerberos authentication), the >> load is no more than 2, which results in a fast response of proxy >> server to users. CPU utilization is always low. No swap utilization by >> kernel. In my environment test, with 20 users I always get fast >> responses. The problem occurs when I put the server in production. >> What is happening with Kerberos authentication ? >> >> -- >> >> >> "Computers are like air-conditioners. >> They stop working when you open Windows." >> BillieGDJoe >> > > > -- "Computers are like air-conditioners. They stop working when you open Windows." BillieGDJoe
